The present invention relates to a port scanning method and a port scanning device. It further relates to a port scanning detection method and a port scanning detection device. It further relates to a port scanning system. It further relates to a computer program and to a computer program product.
Port scanners are widely used by network administrators but they are also maliciously used by hackers. A port scanner is designed to search a network host for open ports.
In the Internet protocol stack TCP/IP, hosts are identified by a unique IP address and services as well as applications running on a given host are referenced using two components, the IP address and a port number. Services and applications are processes running on a host. In the TCP and UDP protocol there are distinct and usable port numbers in the number range of 16 bit. Most services on the Internet use well-known port numbers (below 1024) which are assigned by the Internet Assigned Number Authority (IANA) while other processes can use ephemeral port numbers (between 1024 and 65535) for their communication.
Information gathered by a port scan has many legitimate uses, including the ability to verify the security status of a host in a network. Port scanning may, however, also be used for malicious intentions. Many exploits rely upon port scans to find open ports on which a potentially vulnerable process is listening and send large quantities of specific data in an attempt to trigger a condition known as a buffer overflow. Such behavior may compromise the security of hosts and a network as a whole, resulting in the loss or exposure of sensitive information and the ability to exploit a hosts processing power. An example for a known port scanner is “nmap”.
Security assistants for networks or individual network devices include firewalls and access controls. In addition to that, intrusion detection systems are known, which monitor activity to identify malicious or suspicious events. An intrusion detection system acts as a sensor, like a smoke detector, that raises an alarm if specific suspicious patterns are observed. An intrusion detection system is designed for monitoring user, system, and networking activity, auditing system configurations for vulnerabilities and misconfigurations, recognizing known attack patterns in system and network activity, identifying abnormal activity through statistical analysis, managing audit trails and highlighting user violation of policies or normal activity, and installing and operating traps to record information about intruders. Known intrusion detection systems, also referred to as intrusion detection assistants, are designed to detect an attack by a series of TCP SYN packets sent to many different ports on a host in succession and in short time intervals, as would be the case for a port scan. Upon detection of such an attack, the intrusion system initiates some counteraction. These actions may comprise to increase the amount of data collected, to protect and act to reduce exposure, or also to notify a human being. Such intrusion detection assistants are disclosed in the article “Security In Networks”, by Shari Lawrence Pfleeger, Charles Pfleeger on the Internet under http://www.informIT.com/articles/article.asp?p=31339&seqNum=5.
From U.S. Pat. No. 6,324,656 B1, a computer implemented method for rules driven multiphase network vulnerability assessment is known comprising pinging devices on a network to discover devices with connection to the network. Port scans are performed on a discovered device and banners are collected. Information from the collected banners is stored as entries in a first database. Analysis is performed on the entries by comparing the entries with a rule set to determine potential vulnerabilities.
From the article “Network Authentication Across Closed Ports”, published in SYS Admin magazine 12 of 2003, the author being Krzywinsky, M., and also available under http://www.linuxjournal.com/article/6811, port knocking is disclosed. The article discloses that a firewall should provide protection against malfeasant actions while allowing trusted users to connect. It is not always possible to filter out malicious traffic because filtering on the basis of IP addresses and ports does not distinguish connecting users. An attacker may send traffic from trusted IP addresses. However, open ports remain a potential vulnerability: they allow connections to processes on a host and therefore may turn into open doors for attacks. Port knocking is a method in which trusted users manipulate firewall rules by transmitting information across closed ports. In this respect, users make connection attempts to sequences of closed ports. The failed connections are logged by the service-side packet filtering firewall and detected by a daemon that monitors the firewall log file. When a properly formatted knock sequence, playing the role of the secret used in the authentication, is received, firewall rules are manipulated based on the information content of the sequence. In commonly deployed firewalls, filtering is done either by the IP address of the connecting host or by the port to which the host is connecting. Firewalls examine and interact with packets before any user authentication takes place. Therefore, they do not discriminate amongst users attempting to open a connection. It is expected that once the firewall has approved the packet and allowed it to enter the network, downstream applications will handle user authentication. Port knocking provides an authentication system that works across closed ports, eliminating the risks associated with publicly open ports. During the port knocking procedure, a commonly agreed upon port sequence is addressed which acts as a header of the port knocking. After that, a connection is made to further ports, from which sequence the receiving host may derive the actually intended port to be opened. The host may then open the respective port which is then available for communication. To minimize a risk of a functional sequence being constructed by an intercepting party, it is known from the above-mentioned article to encrypt information content containing the remote IP of the sequence. For this, one-time passwords or one-time pads are used for encryption. It is further known to encrypt the remote IP, the ports, the time and checksum.
It is a challenge to provide a port scanning method and a respective port scanning device, which are versatile and at the same time are efficient. It is a further challenge to provide a port scanning detection method and device, which are versatile and at the same time are efficient. It is a further challenge to provide a port scanning system, which is versatile and at the same time is efficient.